| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251026215635.GA2368369@ax162>
Date: Sun, 26 Oct 2025 14:56:35 -0700
From: Nathan Chancellor <nathan@...nel.org>
To: Dimitri John Ledkov <dimitri.ledkov@...gut.co.uk>
Cc: linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org,
masahiroy@...nel.org, arnd@...db.de, linux-kbuild@...r.kernel.org,
legion@...nel.org, nsc@...nel.org
Subject: Re: [PATCH] kbuild: align modinfo section for Secureboot
Authenticode EDK2 compat
Hi Dimitri,
On Sun, Oct 26, 2025 at 08:21:00PM +0000, Dimitri John Ledkov wrote:
> Previously linker scripts would always generate vmlinuz that has sections
> aligned. And thus padded (correct Authenticode calculation) and unpadded
Was this something that was guaranteed to happen or did it just always
happen by coincidence? Is there a way to enforce this?
> calculation would be same. As in https://github.com/rhboot/pesign userspace
> tool would produce the same authenticode digest for both of the following
> commands:
>
> pesign --padding --hash --in ./arch/x86_64/boot/bzImage
> pesign --nopadding --hash --in ./arch/x86_64/boot/bzImage
>
> The commit 3e86e4d74c04 ("kbuild: keep .modinfo section in
> vmlinux.unstripped") added .modinfo section of variable length. Depending
> on kernel configuration it may or may not be aligned.
>
> All userspace signing tooling correctly pads such section to calculation
> spec compliant authenticode digest.
I might be missing something here but .modinfo should not be in the
final vmlinux since it gets stripped out via the strip_relocs rule in
scripts/Makefile.vmlinux. Does this matter because an unaligned .modinfo
section could potentially leave sections after it in the linker scripts
unaligned as well?
> However, if bzImage is not further processed and is attempted to be loaded
> directly by EDK2 firmware, it calculates unpadded Authenticode digest and
Could this affect other bootloaders as well? I noticed this report about
rEFInd and pointed them here in case it was related:
https://lore.kernel.org/CAB95QARfqSUNJCCgyPcTPu0-hk10e-sOVVMrnpKd6OdV_PHrGA@mail.gmail.com/
> fails to correct accept/reject such kernel builds even when propoer
> Authenticode values are enrolled in db/dbx. One can say EDK2 requires
> aligned/padded kernels in Secureboot.
>
> Thus add ALIGN(8) to the .modinfo section, to esure kernels irrespective of
> modinfo contents can be loaded by all existing EDK2 firmware builds.
>
> Fixes: 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped")
I took this change via the Kbuild tree for 6.18-rc1 so I can pick this
up for kbuild-fixes or Arnd can take this if he has anything pending for
fixes in the asm-generic tree.
> Cc: stable@...r.kernel.org
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@...gut.co.uk>
> ---
> include/asm-generic/vmlinux.lds.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
> index 8a9a2e732a65b..e04d56a5332e6 100644
> --- a/include/asm-generic/vmlinux.lds.h
> +++ b/include/asm-generic/vmlinux.lds.h
> @@ -832,7 +832,7 @@ defined(CONFIG_AUTOFDO_CLANG) || defined(CONFIG_PROPELLER_CLANG)
>
> /* Required sections not related to debugging. */
> #define ELF_DETAILS \
> - .modinfo : { *(.modinfo) } \
> + .modinfo : { *(.modinfo) . = ALIGN(8); } \
> .comment 0 : { *(.comment) } \
> .symtab 0 : { *(.symtab) } \
> .strtab 0 : { *(.strtab) } \
> --
> 2.51.0
>
Powered by blists - more mailing lists